Privacy Policy
RippleVMS - Volunteer Management System
Last Updated: June 28, 2026
Introduction
RippleVMS ("we," "us," or "our") operates a volunteer management system (the "VMS" or "Service"), a digital platform designed to coordinate volunteer activities, including shift scheduling, training, and—where enabled by an organization—incident reporting and responder dispatch. The Service is available as a website and as native mobile applications for iOS and Android. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service through any of these channels.
By using the VMS, you agree to the collection and use of information in accordance with this policy. If you do not agree with this policy, please do not use the Service.
Information We Collect
Information You Provide Directly
Volunteer Account Information
Accounts are created either when a coordinator invites you or when you register yourself using an organization's invitation link. In either case we collect:
- Contact Information: Preferred name (display name you choose), email address, phone number, and/or Signal ID
- Language Preferences: Primary language and additional languages spoken
- Zone Preferences: Geographic zones where you prefer to volunteer
- Emergency Contact: If you choose to provide it, the name and phone number of an emergency contact
Application & Intake Information
If you apply to join an organization through a self-registration link, we also collect:
- Application Details: The date you applied and your application status (e.g., pending, approved)
- Intake Responses: Answers to any intake questions the organization configures (these may include free-text responses you provide). Intake responses are encrypted at rest.
Volunteer Activity Information
As you use the Service, we collect:
- Shift Participation: Shifts you RSVP to, your confirmation status, and attendance/check-in records
- Training Records: Training sessions attended and qualifications earned (as configured by your organization)
Incident & Dispatch Information
Some organizations enable incident reporting and responder dispatch. Where these features are used, the Service processes:
- Incident Reports: Descriptions, observations, status, priority, and any structured details entered by the reporter or coordinators
- Location Details: A free-text location and, optionally, latitude/longitude coordinates associated with an incident or point of interest. Coordinates may be typed in or derived from an organization's saved locations. In our mobile apps, if you choose "Use Current Location" when reporting an incident, the app reads your device's current GPS location (with your permission) to fill in the incident's coordinates. This is one-time and user-initiated—the app does not track or continuously monitor your location in the background.
- Reporter & Callback Information: If provided, the name, phone number, and email address of the person who reported an incident or who should be contacted about it. This information may relate to members of the public who are not registered users; it is encrypted at rest.
- Dispatch & Response Records: Responder assignments, acknowledgements, status changes (e.g., en route, on site), and timeline messages exchanged among responders and coordinators
- Media Attachments: Photos and videos uploaded to an incident. Uploaded media is stored as provided and may contain embedded metadata (such as the time, camera, or GPS location recorded by the capturing device). We do not currently remove this metadata, so avoid uploading media you do not wish to share with your organization's coordinators and responders.
Information Collected Automatically
Device and Usage Information
When you access the VMS, we may automatically collect:
- Browser and Device Information: Browser type and operating system. When you use our mobile apps, we may also collect device model, operating system version, and app version to support and troubleshoot the apps.
- Access Logs: Date and time of access, pages visited, and actions taken within the Service
- Session Information: On the website, authentication tokens are stored in secure, HTTP-only cookies. In our mobile apps, authentication tokens are stored in the device's secure storage (the iOS Keychain or Android encrypted storage) rather than cookies.
- Push Notification Tokens: If you enable notifications, we collect the push token issued by your device or browser so we can deliver alerts about shifts, trainings, and—where enabled—incidents and dispatch requests. You can disable push notifications at any time in your device or browser settings.
Cookies & Tracking Technologies
We use strictly necessary cookies and similar technologies to keep you signed in, secure your session, and remember preferences such as language and zone filters. These cookies are first-party, short-lived, and are not shared with advertisers. We do not run third-party behavioral advertising or analytics scripts inside the VMS. You can control cookies through your browser settings, but disabling essential cookies may prevent certain features from working.
How We Use Your Information
We use the information we collect to:
Operate and Improve the Service
- Create and manage your volunteer account
- Coordinate volunteer shift scheduling and assignments
- Track training completion and qualifications
- Match volunteers with appropriate shifts based on zone assignments
- Where enabled by your organization, coordinate incident response—routing dispatch requests to responders, tracking response status, and maintaining an incident timeline
Communications
- Send email notifications about shifts, training sessions, and schedule changes
- Send push notifications to your device or browser (when enabled) about shifts, trainings, and—where enabled—incidents and dispatch requests
- Provide important updates about the Service or your volunteer activities
- Send password reset emails when requested
Administrative Purposes
- Maintain accurate records of volunteer participation
- Generate reports on volunteer activity and program effectiveness
- Improve the Service based on usage patterns
Information Sharing and Disclosure
Within the Organization
Your information may be accessed by:
- Coordinators: To manage volunteer assignments, view contact information, and track participation
- Dispatchers: To view shift schedules, coordinate activities, and (where enabled) triage incidents and assign responders
- Responders: Where incident dispatch is enabled, volunteers assigned to an incident may see incident details, location, reporter/callback information, media, and the identities of other responders assigned to that incident
- Administrators: To manage system settings and oversee operations
With Third-Party Service Providers
We use the following third-party services to operate the VMS (this list represents our primary processors and may be updated as our infrastructure evolves):
| Service | Purpose | Data Shared |
|---|---|---|
| Neon (PostgreSQL) | Database hosting | All stored data (encrypted at rest by Neon; sensitive PII fields are additionally encrypted at the application level before storage) |
| Vercel | Application hosting | Application data |
| Amazon SES | Email delivery | Email addresses and notification content |
| Google Maps | Zone boundary display | Zone boundary coordinates (public) |
| Amazon S3 | File storage | Uploaded documents, training materials, and media files (encrypted at rest with AES-256 server-side encryption) |
| Upstash Redis | Rate limiting | IP addresses (temporary, for abuse prevention; hashed before any persistent storage) |
| Apple Push Notification service (APNs) | Push notification delivery to iOS devices | Device push token and notification content (e.g., shift, training, or incident alerts) |
| Google Firebase Cloud Messaging (FCM) | Push notification delivery to Android devices | Device push token and notification content (e.g., shift, training, or incident alerts) |
Legal Requirements
We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., a court or government agency).
With Your Consent
We may share your information with third parties when you have given us explicit consent to do so.
Data Security
We implement layered technical and organizational safeguards to keep personal information confidential, including encryption, network and application controls, and monitoring. While the specifics of our controls evolve as risks change, the principles below remain constant.
Technical Safeguards
- All traffic to the VMS is protected with modern HTTPS/TLS encryption. Our database provider encrypts all stored data at rest, and we apply an additional layer of application-level AES-256-GCM encryption to sensitive personal information (names, email addresses, phone numbers, emergency contacts, and Signal handles) before it reaches the database. Uploaded files and documents are stored with AES-256 server-side encryption at rest.
- To enable secure lookups on encrypted fields, we maintain HMAC-SHA256 blind indexes of email addresses and names. These one-way hashes allow authentication and search without exposing or decrypting the underlying values.
- User passwords are hashed with bcrypt before storage. Verification and password-reset tokens are hashed with SHA-256 and expire automatically.
- Multi-factor authentication (MFA) is available via time-based one-time passwords (TOTP). When enabled, login requires a six-digit code from an authenticator app. Ten single-use backup codes are provided in case you lose access to your authenticator; each backup code is individually bcrypt-hashed before storage.
- On our mobile apps, you can optionally enable Face ID or Touch ID to lock the app. Biometric verification is performed entirely on your device by the operating system; we never receive, store, or transmit your biometric data.
- Role-based access control ensures volunteers, coordinators, dispatchers, and administrators only see the information required for their duties.
- We validate and sanitize user input, enforce per-endpoint sliding-window rate limits (e.g., login attempts, password resets, signups), use anti-CSRF tokens on state-changing requests, and apply standard security headers to reduce the risk of common web attacks.
Operational Safeguards
- Production infrastructure is hosted with providers that maintain independent security certifications (including SOC 2 Type II), and environments are isolated so test data never mingles with production.
- Access to infrastructure and keys is limited to authorized personnel and protected through secrets management and audit logging.
- We review unusual sign-in attempts, track administrative changes, and follow an incident response process that includes notifying affected users when required by law.
- Dependencies and platform components are patched regularly to address known vulnerabilities.
Data Retention
We retain your information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.
- Volunteer Accounts: Account information is retained while your account is active and for up to 24 months after inactivity unless we are legally required to keep it longer.
- Shift and Training Records: Participation records are retained for at least 36 months to support operational reporting and safety reviews, after which they may be archived or anonymized.
- Aggregate Analytics: We generate nightly aggregate statistics (e.g., total volunteer hours, attendance rates, engagement counts) from shift and membership data. These snapshots contain no personally identifiable information and are retained for up to 12 months to support organizational trend reporting.
- System and Audit Logs: Operational logs (access events, administrative changes, system health checks) are retained for 7 to 30 days depending on category, then automatically deleted.
To request deletion of your data, please contact us using the information provided below.
Your Rights and Choices
Access and Correction
You can access and update your profile information at any time through the VMS dashboard. This includes:
- Contact information
- Language preferences
- Zone preferences
Data Deletion
You may request deletion of your personal data by contacting us. Please note that:
- We may retain certain information as required by law or for legitimate business purposes
- Some information may be retained in anonymized form for statistical purposes
- Deletion of your account will remove your ability to participate as a volunteer
Additional Privacy Rights
Depending on where you live, you may be entitled to additional rights such as data portability, objection or restriction of processing, the right to opt out of certain disclosures, or the right to lodge a complaint with your local supervisory authority. We will honor applicable requests when they are submitted through the contact information below and may need to verify your identity before fulfilling them.
Email Communications
You can manage your email notification preferences through your profile settings. You may unsubscribe from non-essential communications while still receiving important operational emails.
Children's Privacy
The VMS is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children under 18. If you are a parent or guardian and believe your child has provided us with personal information, please contact us so we can take appropriate action.
Geographic Scope
The Service is hosted in the United States, and all data is processed and stored within the United States.
Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of any changes by:
- Posting the new Privacy Policy on the VMS
- Updating the "Last Updated" date at the top of this policy
- Sending an email notification for significant changes
Contact Us
If you have questions about this Privacy Policy or our data practices, please contact us at:
RippleVMS
Email: RippleVMS@honeybadgerapps.com
Website: ripple-vms.com
Acknowledgment
By using the RippleVMS Volunteer Management System, you acknowledge that you have read and understood this Privacy Policy and agree to be bound by its terms.
